US military learning cybersecurity lessons from businesses

The "Defense Strategy for Operating in Cyberspace" calls for industry best practices such as promoting secure computing by users, sound network design and secure network management.

It calls for mimicking private-sector businesses practices for securing networks. "DoD will integrate the private sector's continuous renewal method to harden its own computing devices and sustain its cyber hygiene best practices," the strategy says.

"Cyber hygiene must be practiced by everyone at all times; it is just as important for individuals to be focused on protecting themselves as it is to keep security software and operating systems up to date."

The initiative relies on the private sector to carry out some of its goals. For example, it calls on ISPs to work with the government to mitigate risks that affect military networks.

The strategy calls for cooperation with private industry to shore up supply chains and minimize risks posed by products and services that come from firms in other countries. Counterfeit products also pose a risk that needs to be mitigated, the DoD says.

The military will shorten its lifecycle for network infrastructure to fall in line with common private industry practices -- 12 to 36 months versus the current seven or eight years.
"To replicate the dynamism of the private sector and harness the power of emerging computing concepts, the DoD's acquisition processes for information technology will adopt five principles," the document says. These principles are:

Match the acquisition process with technology development lifecycles.

Employ incremental testing and development rather than deploying monolithic systems.

Sacrifice some customization for speed of deployment.

Impose different levels of oversight-based department prioritization of critical systems.

Improved security evaluation of all new systems. "No backdoor can be left open to infiltration; no test module can be left active."

In addition to drawing on corporate practices, the Pentagon policy statement offers up some initiatives that businesses might learn from, but often are too vague to offer clear steps that might be taken.

Build a culture of information assurance through training and imposition of higher penalties for malicious activity.

Employ secure cloud computing. (The document doesn't offer details on how it will secure its cloud resources, which is an ongoing challenge of corporate IT security professionals.)

Develop more secure architectures and operating concepts. (The document doesn't detail what they are.)

The Pentagon says it will rely on Silicon Valley to rapidly produce new technologies that could bolster defenses and change the way the Internet works. "DoD will explore game changing approaches, including new architectures, to strengthen DoD's defense capabilities and make DoD systems more resistant to malicious activity. DoD will pursue revolutionary technologies that rethink the technological foundations of cyberspace," the cyberspace strategy says. "To do so, DoD will partner with leading scientific institutions to develop new, safe, and secure cyberspace capabilities that are significantly more resistant to malicious activity."

That could be a boon for high-tech businesses, particularly those businesses that can act quickly to develop new technologies. "DoD will also promote opportunities for small and medium-sized businesses, and the Department will work with entrepreneurs in Silicon Valley and other U.S. technology innovation hubs to move concepts rapidly from innovative idea, to pilot program, to scaled adoption across the DoD enterprise," the strategy says.

This work will include collaboration with academia and other elements of the government as well.